BackUrl::sanitizeForLinks 加强：拒绝二次编码 back%3D 绕过并补单测

2026-03-15 04:11:42 +00:00
parent 54f356f52d
commit e86257e866
2 changed files with 12 additions and 0 deletions
--- a/app/Support/BackUrl.php
+++ b/app/Support/BackUrl.php
@@ -27,9 +27,17 @@ class BackUrl
        }

        // 拒绝 back 自身再包含 back=（避免无限嵌套导致 URL 膨胀，且容易绕过页面侧护栏）
+        // 同时拒绝“二次编码”的 back%3D（例如 %2526back%253D 经过一次 urldecode 后变成 %26back%3D，
+        // 在浏览器点击后会再次被解码为 &back=，形成绕过）。
        if (preg_match('/(?:^|[?&])back=/', $incomingBack)) {
            return '';
        }
+        if (preg_match('/(?:^|[?&]|%26|%3f)back%3d/i', $incomingBack)) {
+            return '';
+        }
+        if (preg_match('/back%253d/i', $incomingBack)) {
+            return '';
+        }

        return $incomingBack;
    }
--- a/tests/Unit/BackUrlSanitizeForLinksTest.php
+++ b/tests/Unit/BackUrlSanitizeForLinksTest.php
@@ -31,6 +31,10 @@ class BackUrlSanitizeForLinksTest extends TestCase
        $this->assertSame('', BackUrl::sanitizeForLinks('/admin/x?back=/admin/y'));
        $this->assertSame('', BackUrl::sanitizeForLinks('/admin/x?a=1&back=/admin/y'));
        $this->assertSame('', BackUrl::sanitizeForLinks('/admin/x?a=1&b=2&back=/admin/y'));
+
+        // 二次编码绕过：%26back%3D 在浏览器/中间层解码后会变回 &back=，因此也应拒绝
+        $this->assertSame('', BackUrl::sanitizeForLinks('/admin/x?a=1%26back%3D/admin/y'));
+        $this->assertSame('', BackUrl::sanitizeForLinks('/admin/x?a=1%2526back%253D/admin/y'));
    }

    public function test_sanitize_for_links_should_reject_paths_not_starting_with_slash(): void